fix: prefer ~/.hermes/.env over os.environ when seeding credential pool

[franksong2702]

Summary

When _seed_from_env() reads API keys to populate the credential pool in auth.json, it was using get_env_value() which prefers os.environ over ~/.hermes/.env. This means stale env vars inherited from parent shell processes (Codex CLI, test scripts, etc.) can shadow deliberate changes to the .env file.

If a parent process exported OPENROUTER_API_KEY=test-key-fresh and the user later updates .env with a valid key, restarting Hermes still picks up the stale os.environ value, writes it back to auth.json, and all OpenRouter API calls silently fail with 401.

Changes

1. Added a local helper _get_env_prefer_dotenv() in _seed_from_env() that reads from ~/.hermes/.env (via load_env()) first, then falls back to os.environ
2. Replaced all 3 get_env_value() call sites in _seed_from_env() with the new helper
3. Added import os and load_env imports

Root Cause

get_env_value() in hermes_cli/config.py checks os.environ FIRST, then falls back to the .env file:

def get_env_value(key: str) -> Optional[str]:
    if key in os.environ:
        return os.environ[key]  # <-- takes priority over .env!
    env_vars = load_env()
    return env_vars.get(key)

This is a reasonable default for most call sites (runtime config), but for _seed_from_env() — which populates the persistent credential cache — the .env file should be authoritative. The credential cache already persists the snapshot, so the env var is only relevant during seeding; using a potentially stale os.environ value here defeats the purpose of the persistent cache.

Additional Discovery

During testing, another source of stale keys was identified: Hermes profile .env files at ~/.hermes/profiles/<name>/.env. These are created by hermes profile create --clone which copies the main .env at creation time. If the main .env had a test/stale key at that point, the profile retains it even after the main .env is updated. This is a separate concern from the os.environ priority issue, but users should be aware that profile .env files may also need manual sync when rotating keys.

Test Plan

• Syntax verification: python3 -c "import py_compile; py_compile.compile('agent/credential_pool.py', doraise=True)"
• Manual: set a key in .env, export a different value in shell, restart Hermes → should use .env value
• Existing credential pool tests should pass

Related Issues

Closes #18254

[teknium1]

Merged via #18755 — your commit cherry-picked onto current main with authorship preserved via rebase-merge. Added regression tests for both the bug case (stale shell export shadowing fresh .env) and the fallback case (runtime-injected env in Docker/K8s deployments without a .env file). Thanks for the clean narrow fix!

#18755